DoS worm

["David Gillett" <gillettdavid () fhda edu>]

  Yesterday, someone (we believe it was one of our students)
unplugged a lab Mac from the campus network and plugged in a
PC (laptop, we assume).  Besides whatever the user wanted, it
apparently did three things:

1.  Attempt to open a lot of connections (port 22, SSH) to
shaman.exodus.ro (62.80.109.128), then

2.  Send a SYN flood, spoofing the source address as 0.0.0.0,
to ports 22 and 80 of weed.powered.at (195.149.115.18), and

3.  Probe random addresses in our Class B space (port 445, CIFS);
if it got a connection, it tried various SMB-type things amongst 
which I was able to pick out the string "IPC".  Five other machines
in our space eventually demonstrated similar symptoms.

  I don't know what this beast is.  I infer that #2 is a DoS attack
which is perhaps the purpose of the worm, and that #3 is its spread
vector via the IPC$ share.

  Anybody recognize this?

Dave Gillett